Hello
Long time lurker, first time poster.
New to OPNsense but used pfSense for years. I am pulling my hair out and need some advice.
Long story kinda short, I had my pfSense (Netgate SG-2100) using a selective routing setup to Mullvad via WireGuard (VPN1) for my primary VLAN (VLAN10) and I also ran a Raspberry Pi on VLAN 50. VLAN 50 did not use VPN1 but connected using WireGuard client on the Debian running Raspberry Pi.
All worked fine and I could use my full bandwidth (I get ~400/10 from my ISP) to download files using a bittorrent client.
I migrated to an OPNsense (Protectli VP2440; running 26.1.1) and "moved the config over" (this may be a point of contention later but withhold judgment temporarily). After some minor hiccups and new Rule changes that didn't adapt, I got everytihng running! It is a beast and I love it! Rock solid.... until... I fired up the Raspberry Pi. Once I started downloading a file or two, and the bandwidth kicked up to over ~300Mbps, the whole WAN interface and both VPNs froze up.
I have attached an image of my setups as they progressed through my troubleshooting. Original "known good" setup on pfSense/pre-migration to OPNsense: "Setup 1", "Setup 2" where I replaced the pfSense/Netgate with the OPNsense/Protectli, and "Setup 3" where I removed the managed switch from the equation.
I have tried many things on both the router and the bittorrent client (bandwidth shaping on router, MTU/MSS on both, bandwitdh limits on bittorrent client; connection limits on bittorrent client) and once I started downloading any files that require the client to run for more than 2 minutes (e.g. 25GB+) it freezes the VPN2 connection.
Now, in Setup 2, all connections would lock up, in Setup 3, ONLY VPN2 locks up and the WAN and VPN1 stay connected.
I love troubleshooting so here are SOME of the steps I took. Stopping the download does not allow the VPN2 to self correct. I started big and rebooted the router and all goes back to normal until I start a download again.
The ONLY step that seems to work short of a reboot is reloading the WAN DHCP interface in 'Interfaces: Overview' (or the newly found CLI 'configctl interface reconfigure wan' command). I am not familiar enough with FreeBSD/OPNsense enough to know what all this command does so I'm not quite sure what it's doing that it fixes VPN2, but no other standalone command is able to fix it like this step.
A little more info: I have watched every log in the GUI and whichever ones I could set to "Debug" I did. Nothing pops up OTHER than I seemed to notice a few more pf logs of "mismatched state" but wasn't sure if that was coincidence. This hardware is overkill so my firewall states are not maxing out (maybe 2000 total at the time?), CPU remains around 10% usage and memory is about 10%, so I'm not hitting any max states or connections. I removed the "virusprot" overload rules via "Disable rate limit rule" in "Firewall:Settings:Advanced".
Also, I watched my cable modem to see if any logs popped up there and nothing did. (which I wasn't sure they would in setup 3 because the WAN stayed active)
Now, to go back to my "moved the config over", I asked to withhold judgment because everything else works just like before. So I'm not sure what could be wrong with the config.
Any and all advice welcomed. I'm truly mostly looking to help myself in maybe some info I don't have on what logs I may be able to watch as the issue is fairly easily reproducible.
(If more info is required, please let me know, I just didnt want to overload my initial post and hope this is enough for now.)
THANK YOU!
Are you running your VP2440 with coreboot or AMI? If coreboot, there is an open TSB for the 2.5GbE ports related to ASPM:
https://protectli.com/news/vp2440-coreboot-issue/
https://kb.protectli.com/wp-content/uploads/sites/9/2025/12/TSB-2025-001_-VP2440-ASPM-Network-Performance-Issue_v1_1_0.pdf
Not sure if this is the issue in your case, though.
Thanks OPNenthu! It's a start.
I am indeed running coreboot and was unaware of this issue/TSB!
I am adding the Tunable and rebooting now and will report back.